University of Wisconsin-Madison Policy and Procedure



Similar documents
POLICY NUMBER B JULY 8, 2014

State of Connecticut Department of Social Services HIPAA Policies and Procedures Manual

How To Handle A Health Care Issue With A Health Insurance Company

POLICY REGARDING THE USE OR DISCLOSURE OF MENTAL HEALTH RECORDS, INCLUDING PSYCHOTHERAPY NOTES

Protecting Health Information Privacy and Complying with Federal Regulations

PLLC NOTICE OF PRIVACY PRACTICES

Understanding Your Health Record Information

NOTICE OF PRIVACY PRACTICES

RUTGERS POLICY. Responsible Office: RBHS Office of Ethics, Compliance & Corporate Integrity

North Florida Medical Centers, Inc. Notice of Information Practices

BUSINESS ASSOCIATE AGREEMENT

NOTICE OF PRIVACY POLICY. Effective:, 2013

Gaston County HIPAA Manual

HIPAA Business Associate Agreement

NOTICE OF PRIVACY PRACTICES (NPP)

New Jersey Institute of Technology Number: GC: H-002 University Policies and Procedures Date of Issue: July 2014

9129 Monroe Rd. Suite 100, Charlotte, NC 28270

OUR LADY OF THE LAKE, HOSPITAL INC. AND OUR LADY OF THE LAKE PHYSICIAN GROUP, LLC NOTICE OF PRIVACY PRACTICES

HIPAA and Mental Health Privacy:

The Basics of HIPAA Privacy and Security and HITECH

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT

HIPAA Notice of Privacy Practices HAND & MICROSURGERY ASSOCIATES, INC.

PRIVACY NOTICE. In certain situations, we may also disclose patient information to another provider or health plan for their health care operations.

Chief Privacy Officer Christian Brothers Services 1205 Windham Parkway Romeoville, IL

HIPAA Notice of Privacy Practices - Sample Notice. Disclaimer: Template Notice of Privacy Practices (45 C.F.R )

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

INTERMACS REGISTRY BUSINESS ASSOCIATE AGREEMENT

Appendix : Business Associate Agreement

NOTICE OF PRIVACY PRACTICES Walter Chiropractic Clinic, 5219 Peters Creek Rd Ste 5, Roanoke VA 24019

Notice of Privacy Practices

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy Use and Disclosure of Psychotherapy Notes 10130

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

BUSINESS ASSOCIATE AGREEMENT

HIPAA Omnibus Notice of Privacy Practices Effective Date: March 03, 2012 Revised on: July 1, 2015

BUSINESS ASSOCIATE AGREEMENT RECITALS

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA): FACT SHEET FOR NEUROPSYCHOLOGISTS Division 40, American Psychological Association

UNITED CEREBRAL PALSY OF NORTHWEST MISSOURI NOTICE OF PRIVACY PRACTICES EFFECTIVE DATE: OCTOBER 22, 2014

State of Florida Employees' Group Health Insurance Privacy Notice

HIGHMARK BLUE CROSS BLUE SHIELD DELAWARE NOTICE OF PRIVACY PRACTICES PART I NOTICE OF PRIVACY PRACTICES (HIPAA)

PROTECTED HEALTH INFORMATION

HIPAA Business Associate Addendum

BUSINESS ASSOCIATE AGREEMENT

HIPAA-ACKNOWLEDGEMENT OF RECEIPT Notice of Privacy Practices

NOTICE OF HIPAA PRIVACY AND SECURITY PRACTICES

BUSINESS ASSOCIATE AGREEMENT

Population Health Management Program Notice of Privacy Practices

HIPAA NOTICE OF PRIVACY PRACTICES

Schindler Elevator Corporation

Privacy Notice. The Plan s duties with respect to health information about you

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No A-94B, AFL-CIO. Notice of Privacy Practices

HIPAA-P01 Uses and Disclosures of Protected Health Information Policy

Form I: HIPAA Notice of Privacy Practices HIPAA NOTICE OF PRIVACY PRACTICES

Salt Lake Community College Employee Health Care Benefits Plan Notice of Privacy Practices

Population Health Management Program Notice of Privacy Practices from Piedmont WellStar HealthPlans, Inc.

Policy & Procedure HIPAA / PRIVACY AMENDMENT OF PHI

Genworth Life Insurance Company Genworth Life Insurance Company of New York NOTICE OF PRIVACY PRACTICES

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS

BUSINESS ASSOCIATE AGREEMENT

HIPAA Privacy Rule Primer for the College or University Administrator

DETAILED NOTICE OF PRIVACY AND SECURITY PRACTICES OF THE Trustees of the Stevens Institute of Technology Health & Welfare Plan

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

Strategies for Electronic Exchange of Mental Health Records

BUSINESS ASSOCIATE AGREEMENT FOR ATTORNEYS

HIPAA BUSINESS ASSOCIATE AGREEMENT

Model Business Associate Agreement

NOTICE OF PRIVACY PRACTICES TEMPLATE. Sections highlighted in yellow are optional sections, depending on if applicable

HIPAA PRIVACY NOTICE PLEASE REVIEW IT CAREFULLY

HIPAA POLICIES & PROCEDURES AND ADMINISTRATIVE FORMS TABLE OF CONTENTS

NOTICE OF PRIVACY PRACTICES

THE HIPAA PRIVACY RULE S RIGHT OF ACCESS AND HEALTH INFORMATION TECHNOLOGY

Population Health Management Program Notice of Privacy Practices from Evolent Health

VERSION DATED AUGUST 2013/TEXAS AND CALIFORNIA

BUSINESS ASSOCIATE AGREEMENT TERMS

National Home Health Care HIPAA Notice of Privacy Practices

Counseling Associates of Southern Illinois 1669 Windham Way, Suite B O Fallon, Illinois P: F:

Anxiety & OCD Treatment Center of Philadelphia

Right to Request Access to Designated Record Set

CITY OF LINCOLN. HIPAA Privacy Policies and Procedures

HIPAA BUSINESS ASSOCIATE AGREEMENT

CATHOLIC SOCIAL SERVICES BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement

Notice of Privacy Practices. Human Resources Division Employees Benefits Section

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

HIPAA Privacy Notice

Parsonage Vandenack Williams LLC Attorneys at Law

NOTICE OF PRIVACY PRACTICES FOR THE NORTH CENTRAL NURSING CLINICS

INSTRUCTION SHEET REGARDING NOTICE OF PRIVACY PRACTICES

HIPAA PRIVACY POLICY & PROCEDURE MANUAL

Business Associates Agreement

Definitions. Catch-all definition:

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc.

Notice of Privacy Practices

HIPAA NOTICE TO PATIENTS

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets

Metropolitan Living, LLC 151 W. Burnsville Parkway, Suite 101 Burnsville, MN Ph: (952) Fax: (651)

BUSINESS ASSOCIATE AGREEMENT

HIPAA POLICY REGARDING BUSINESS ASSOCIATES

ACKNOWLEDGMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES

HIPAA NOTICE OF PRIVACY PRACTICES Woodlands Behavioral Healthcare Network (WBHN)

LCD SOLUTIONS and CLICKTATE.COM BUSINESS ASSOCIATE AGREEMENT and DISCLOSURE of RIGHTS to COVERED ENTITIES

Transcription:

Page 1 of 9 I. Policy The HIPAA Privacy Rule and HITECH regulations provide patients and their legally authorized representatives with a right to access, to inspect and to obtain a copy of the patient s protected health information in medical and billing records maintained and retained by a covered entity. This document describes how UW-Madison complies with the Privacy Rule s right to access and defines the limited circumstances in which access to medical and/or billing records may be denied. In the remainder of this policy, the term patient refers to the patient or his/her legally authorized representative. II. Definitions A. Covered Entity: A health plan, health care clearinghouse, or health care provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA. B. Designated Record Set: A group of records so designated which are maintained by or for the UW-Madison Health Care Component and which (1) includes the medical and billing records about individuals maintained by a health care provider; and (2) are used in whole or in part for the health care provider to make decisions about individuals. The term record means any item, collection or grouping of information that includes protected health information and is maintained, collected, used or disseminated by or for a health care provider. C. HITECH: The Heath Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to promote the adoption and meaningful use of health information technology.

Page 2 of 9 D. ( PHI ): Health information, or healthcare payment information, including demographic information, which identifies the individual or can be used to identify the individual. PHI does not include student records held by educational institutions or employment records held by employers. E. Psychotherapy Notes: Notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual s medical record. Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date. F. UW-Madison Health Care Component ( UW HCC ): Those units of the that have been designated by the University as part of its health care component under HIPAA. See Privacy Policy # 1.1 Designation of UW-Madison Health Care Component for a listing of these units. III. Procedures A. Each applicable UW HCC unit must designate a staff member or office to receive and process requests for access to or copies of medical or billing records. B. An individual must make a request to a staff member for access to inspect or obtain a copy of the individual s medical or billing records. The UW HCC unit may require that this request be in writing provided that the patient is informed of this requirement in advance. A record of the request must be maintained by the UW HCC unit.

Page 3 of 9 1. The individual has the right to request access to inspect or copy his/her medical or billing records which are part of the designated record set (see Privacy Policy # 7.2 Requests by Patients to Amend Protected Health Information for more on the designated record set). C. The UW HCC unit may limit access to medical and billing records to the business hours during which the unit is open. D. The UW HCC unit will take action within 30 days after receipt of the request. The UW HCC unit may take one 30-day extension but, within the original time limit, must notify the individual in writing of the reasons for the delay and the date by which it will process the access request. E. The request of an individual for access to the individual s medical or billing records will be granted unless one of the grounds for denial, listed below in III.G. or III.H., is present. F. Granting of Request for Access 1. The patient and the UW HCC unit will arrange a mutually convenient time and place for the individual to inspect or obtain a copy, or both, of the requested PHI. The individual may request that this copy be mailed. 2. If the individual directs the UW HCC unit to transmit a copy of the PHI directly to another person designated by the individual, the UW HCC unit must provide a copy to such designated person. The individual s request must be in writing, signed by the individual, and must clearly identify the designed person and where to send the copy of the PHI. 3. The UW HCC unit must provide the patient with access to the PHI in the requested form or format, if it is readily producible in such form or format. If the PHI is not readily producible in the requested form or format, the UW HCC unit must provide

Page 4 of 9 the patient with a readable hard copy form, or other form and format as agreed to by the patient and the UW HCC unit. 4. If the PHI requested is maintained in one or more designated record sets electronically and the individual requests an electronic copy, the UW HCC unit must provide the individual with access to the PHI in the electronic form and format requested by the individual, if readily producible in such form and format. If the PHI is not readily producible in the requested electronic form and format, the UW HCC unit must provide the patient with a readable electronic form and format as agreed to by the patient and the UW HCC unit. 5. The UW HCC unit may provide the patient with a summary of the PHI requested, in lieu of providing access to the PHI, or may provide an explanation of the PHI to which access has been provided, if the patient agrees in advance to such a summary or explanation and to the fees imposed, if any, by the UW HCC unit for the summary or explanation. 6. If the patient requests a copy of the PHI or agrees to a summary or explanation of such information, the UW HCC unit may impose a reasonable, cost-based fee, provided that the fee includes only the cost of (a) copying; (b) postage (when the patient has requested the copy, summary, or explanation be mailed); and (c) preparing an explanation or summary of the PHI, if agreed to by the patient in lieu of providing access to the PHI. 7. If, after inspection of the PHI, the patient feels it is inaccurate or incomplete, the patient has the right to request an amendment to the PHI. The UW HCC unit shall process requests for amendment as detailed in Privacy Policy #7.2 Requests by Patients to Amend.

Page 5 of 9 G. Grounds for Denial Where No Opportunity for Review Is Required 1. Patients are not allowed access to or copies of the following types of information and denials of access to or copies of this information are not subject to review: a. Psychotherapy notes (defined above); b. Information compiled in anticipation of or use in a civil, criminal, or administrative action or proceeding; c. PHI that is exempt from CLIA, pursuant to 42 CFR 493.3(a)(2) (i.e., PHI created in research laboratories that test human specimens but do not report patient specific results for diagnosis, treatment or health assessment of individual patient. 2. The UW HCC unit may deny a patient access to or copies of the following types of PHI without providing the patient an opportunity for review: a. PHI created or obtained in the course of treatment-related research for which access has been temporarily suspended for as long as the research is in progress, provided that the patient has agreed to the denial of access when consenting to participate in the research and has been informed that the right of access will be reinstated upon completion of the research; b. Records that are subject to the Privacy Act of 1974 and the denial of access meets the requirement of that law (note: the Privacy Act of 1974 applies to records held by agencies of the federal government only and therefore this provision is generally inapplicable to UW-Madison); and

Page 6 of 9 c. PHI that was obtained from someone other than a healthcare provider under a promise of confidentiality and access would likely reveal the source of the information. H. Grounds for Denial Where Opportunity for Review of Denial Must Be Provided. The UW HCC unit may deny a patient access to his/her own PHI, provided that the patient is given an opportunity to have the denial reviewed, in the following circumstances: 1. A licensed healthcare professional has determined that the access is reasonably likely to endanger the life or physical safety of the patient or another person; 2. The PHI makes reference to another person who is not a healthcare provider, and a licensed healthcare professional has determined that the access requested is reasonably likely to cause substantial harm to such other person; 3. The request for access is made by the patient s legally authorized representative and a licensed healthcare professional has determined that the provision of access to such representative is reasonably likely to cause substantial harm to the patient or another person. I. Procedures for Denial of Access 1. When access is denied, the UW HCC unit will provide a written denial to the patient. The denial must be provided within 30 days after receipt of the request for access. The UW HCC unit may take one 30- day extension but, within the original time limit, must notify the patient in writing of the reasons for the delay and the date by which it will process the access request. 2. The denial must be in plain language and must contain:

Page 7 of 9 a. The basis for the denial; b. A statement of the patient s review rights, if any, including a description of how the patient may exercise such review rights; and c. A description of how the patient may complain to UW- Madison (see section J. below) or to the Secretary of the U.S. Department of Health and Human Services. The description must include the name, or title, and telephone number of the UW-Madison HIPAA Privacy Officer. 3. If the UW HCC unit denies access because the UW HCC unit does not have the PHI that is the subject of the request and the UW HCC unit knows where that PHI is maintained, the UW HCC unit will inform the patient where to direct the request for access. 4. The UW HCC unit will, to the extent possible, give the patient access to or copies of any other PHI requested, after removing the PHI to which the UW HCC unit has grounds to deny access. J. Review of Denial of Access 1. If access is denied on a ground that requires an opportunity for review of the denial, the patient has the right to have the denial reviewed by a licensed health care professional who is designated by the UW HCC unit to act as a reviewing official and who did not participate in the original decision to deny. If feasible, the review should be done by a professional who is a supervisor of the person making the denial or another person in that clinic.

Page 8 of 9 2. The patient must initiate the review of a denial by making a request for review to the UW HCC unit. If the patient has requested a review, the UW HCC unit will provide or deny access in accordance with the determination of the reviewing professional, who will make the determination within a reasonable period of time. 3. The UW HCC unit will promptly provide written notice to the patient of the determination of the reviewing professional. No further review of the denial is required. IV. Documentation Requirements The UW HCC unit must document the following and retain the documentation for six years from the date of its creation or the date when it last was in effect, whichever is later: V. Forms A. The medical and billing records that are subject to access by patients; B. The titles of the persons or offices responsible for receiving and processing requests for access by individuals; and C. Any written denials sent to patients. Sample Letter Notifying of Need for 30 Day Extension Sample Letter Denying Individual s Request to Obtain a Copy of Protected Health Information VI. References 45 CFR 164.524 (HIPAA Privacy Rule) 51.61(1)(n), Wisconsin Statutes

Page 9 of 9 VII. Related Policies Policy Number 7.2 Requests by Patients to Amend VIII. For Further Information For further information concerning this policy, please contact the UW-Madison HIPAA Privacy Officer or the appropriate unit HIPAA Privacy Coordinator or sub- Coordinator. Contact information is available within the Contact Us tab at hipaa.wisc.edu. Reviewed By Chancellor Chancellor s Task Force on HIPAA Privacy UW-Madison HIPAA Privacy Officer UW-Madison Office of Legal Affairs Approved By Interim HIPAA Privacy and Security Operations Committee

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information